Insights from industry experts

A 2017 Forecast for HIPAA Enforcement

It's time to dust off the crystal ball to offer predictions for what the Department of Health and Human Services' Office for Civil Rights might do in 2017 to administer and enforce the HIPAA privacy, security and breach notification rules.

The transition to a new presidential administration makes forecasting for 2017 and beyond particularly challenging. That's because President-elect Trump's positions on health information privacy and security are not well known.

"Look for 2017 to be a year when OCR continues to exercise its HIPAA enforcement muscle - just not at the record pace seen in 2016."

Tom Price, Trump's pick to be the next HHS secretary, is a physician and a member of the House of Representatives who has generally supported the development of health information technologies. But he's a frequent critic of what he describes as burdensome regulations on healthcare providers. For example, he sponsored legislation to scale back the reporting requirements for providers participating in the HITECH Act's "meaningful use" electronic health record incentive payment program.

Dr. Price's legislative record also includes proposals to pare back current HIPAA Privacy Rule prohibitions on health insurers providing employers who sponsor employee benefit programs with information about employee and family health insurance claims and treatment records. If confirmed to lead HHS in a Trump administration, Dr. Price may take the department in a new direction concerning how it views HIPAA privacy protections.

Jocelyn Samuels will step down as head of OCR before Trump takes his oath of office on Jan. 20. It's unlikely that the Trump administration will appoint a new OCR director anytime soon. While the job is important, it is not politically sensitive. Poised to take the reins are career senior staff who have been with the agency for many years. Watch for Principal Deputy Robinsue Frohboese or Deputy Director for Operations Steve Novy to lead on an acting basis until a permanent director is named.

Outlook for Enforcement

Look for 2017 to be a year when OCR continues to exercise its HIPAA enforcement muscle - just not at the record pace seen in 2016.

OCR has been on a tear, settling 11 cases in 2016 with resolution agreements and corrective action plans. The agency also won a decision by an administrative law judge in an enforcement action contested by a home healthcare and medical equipment supplier (see OCR Slaps Home Health Provider with Penalty).

Since the middle of 2015, OCR has collected more than $27 million in penalties from covered entities and business associates. And behind the scenes, the agency has closed hundreds of other compliance reviews that forced organizations to take actions to update their compliance policies or safeguards for protecting health information.

The common denominator for many of the cases in which there was a settlement was that the covered entity or business associate suffered one or more breaches affecting more than 500 individuals sometime between 2011 and 2013. The enforcement actions came about when investigations into the root cause of the breach found systemic, often profound, failures of organizational programs to safeguard protected health information. And most often cited was failure to perform an information security risk assessment or to have a risk management plan to address gaps in the safeguards for information systems, both required actions under the HIPAA Security Rule.

With nearly 1,800 major breaches posted on the OCR "wall of shame" and more than 240,000 small breaches reported to OCR since 2009, the agency will continue to enjoy bipartisan support from Congress and the incoming administration to hold healthcare organizations accountable for their failure to have adequate safeguards in place to protect patient information from unauthorized disclosures.

A new window of OCR enforcement activity may be opening in 2017. Recent guidance issued by OCR spells out that healthcare organizations using health information technologies, such as internet patient portals, websites and healthcare apps, must make them accessible to people with disabilities. The agency could be preparing to use its enforcement authority under the Americans with Disabilities Act to take action against healthcare facilities that have barriers to the accessibility of its health information technologies.

Permanent HIPAA Audit Program

In 2016, OCR conducted desk audits of approximately 225 covered entities and business associates, measuring how organizations had adopted policies and performed processes on selected provisions of the HIPAA privacy, security and breach notification rules. But so far, OCR apparently has not produced the reports of its audit findings to any of the organizations that responded to the audit.

OCR badly wants the audit program to look like a success and make it a permanent fixture. Look for the agency to retool and reboot the audit program, first by looking for a new contractor better able to handle the demands of examining HIPAA compliance. Beyond the pain felt by a relatively few organizations selected for audits in early 2017, look for a new and improved permanent audit program to be launched late in the year or early 2018.

Rulemaking and Guidance

OCR used 2016 to tick a number of guidance topics off its to-do list. Notably, the agency issued guidance on HIPAA compliance for cloud computing, provided a crosswalk on applying the NIST Cybersecurity Framework to assess compliance with the HIPAA Security Rule and issued guidance on patients' rights to access and share their health information along with materials to help healthcare providers navigate the HIPAA requirements when disclosing PHI through health information exchanges.

The recently enacted 21st Century Cures Act could also be a driving force for the guidance and regulatory activities in the coming year.

The legislation amends the HITECH Act to extend an individual's right to access their PHI to data held by business associates. The new law also directs formation of a working group to study potential changes to the HIPAA Privacy Rule regarding when researchers can access PHI without a patient's permission.

The new law also calls on OCR to develop guidance and educational materials for patients and healthcare providers on a broad range of topics.

Much is up in the air for OCR as we begin 2017. The start of a new Trump administration will constrain the agency from issuing new regulatory guidance on HIPAA topics until the new HHS secretary's leadership team, including an OCR director, is in place. The barometer for OCR's direction in the coming months will be its continued enforcement efforts. Will the new administration allow OCR a free hand to negotiate settlements with steep financial penalties over alleged HIPAA violations? Or will the agency see its wings clipped by requiring it to close investigations into large breaches behind the scenes through informal case resolutions? Only time will tell.

About the Author

Holtzman joined the information security consulting firm CynergisTek in 2013, where he serves as vice president of privacy and security compliance services. Previously, the attorney was a senior adviser at the Department of Health and Human Services' Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.